Jump to content
Tuts 4 You

Leaderboard


Popular Content

Showing content with the highest reputation since 01/19/2019 in all areas

  1. 10 points
    - version 4.0: 1- add RegexSearch form. 2- New GUI after replace DataGridView with RichTextBox to easy deal and fast coding. 3- edit CustomBuildStep to Auto copy files (AdvSconfig.txt , HelpAdvancedScript.txt). 4- add AutocompleteMenu.dll . 5- add copy AutocompleteMenu.dll to x64dbg root . 6- add AdvSconfig.txt for AutoComplete list for define Commands and variables. 7- update AutocompleteMenu.dll. 8- add comments_ to Variables class to add it next to the description of the variables when call them by Ctrl+j 9- call list var's by Ctrl+j 10- add ReFill_FunctionsAutoComplete_AtLoad. 11- highlight_system done for good look and analyze. 12- add autoCompleteFlexibleList to handle commands defined in AdvSconfig.txt. 13- add open Script from out side. 14- refresh by menu and F5 to refresh highlight_system. 15- add var of x64dbg system. note : by AdvSconfig.txt u can define the commands in AdvancedSecript . AdvancedScript_4.0.zip
  2. 7 points
    Answer The password is "gamer vision". All of the following addresses are based on the modulebase 0x00007FF644840000. The possible OEP at: 00007FF644841DF8 | 48:895C24 20 | mov qword ptr [rsp+20],rbx 00007FF644841DFD | 55 | push rbp 00007FF644841DFE | 48:8BEC | mov rbp,rsp 00007FF644841E01 | 48:83EC 20 | sub rsp,20 ... Then the second hit in code section at: 00007FF6448416FC | 48:895C24 08 | mov qword ptr [rsp+8],rbx 00007FF644841701 | 48:897424 10 | mov qword ptr [rsp+10],rsi 00007FF644841706 | 57 | push rdi 00007FF644841707 | 48:83EC 30 | sub rsp,30 ... After prompted "enter password.", the input routine at: 00007FF644841400 | 48:8BC4 | mov rax,rsp 00007FF644841403 | 57 | push rdi 00007FF644841404 | 41:54 | push r12 00007FF644841406 | 41:55 | push r13 00007FF644841408 | 41:56 | push r14 00007FF64484140A | 41:57 | push r15 00007FF64484140C | 48:83EC 50 | sub rsp,50 ... the pointer of local buffer for receiving input text is in rdx(for example, 000000359CC9FA58). When entered some test characters, stack looks like: 000000359CC9FA58: 31 32 33 34 35 36 37 38 39 30 31 32 00 7F 00 00 "123456789012" 000000359CC9FA68: 000000000000000C input size 000000359CC9FA70: 000000000000000F buffer size Whereafter, the process logic virtualized. First of all, the length of input text got checked in a vCmpqr handler: 00007FF644898E0B | 49:39F0 | cmp r8,rsi ; r8=000000000000000C(actual), rsi=000000000000000C(const) The length MUST be 12!, else got "no!". NOTE: the encrypt password has no chance to get decrypted if input length is wrong! The answer String is encrypted(0xC length): 00007FF64484BCB0 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 00 00 00 decrypt algo: 00007FF6448BF3A6 | 40:8A36 | mov sil,byte ptr [rsi] rsi=00007FF64484BCB0, sil=8B 00007FF6448D4125 | 44:30DB | xor bl,r11b bl=8B, r11b=08; ^=08 = 83 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 83 00007FF64485748F | 8A09 | mov cl,byte ptr [rcx] [00007FF64484BCB0] -> 83 00007FF64485E6FA | 44:00D7 | add dil,r10b dil=83, r10b=E4; +=E4 = 67 'g' 00007FF64488E987 | 880A | mov byte ptr [rdx],cl [00007FF64484BCB0] <- 67 00007FF64488DA96 | 49:FFC4 | inc r12 ptr++ 00007FF644859691 | 41:FFC9 | dec r9d length-- 00007FF64488743C | 85C8 | test eax,ecx end loop if length zero At the end of loop, the plaintext: 00007FF64484BCB0 67 61 6D 65 72 20 76 69 73 69 6F 6E 00 00 00 00 gamer vision.... The comparison: 00007FF6448424E7 | FF25 330C0000 | jmp qword ptr [<&memcmp>] ret rax=00000000FFFFFFFF/0000000000000000(if matches) rcx=000000359CC9FA58 "123456789012" rdx=00007FF64484BCB0 "gamer vision" r8=000000000000000C Strings Encrypted Structure BYTE bEncrypt // 1 - encrypt, 0 - decrypt DWORD dwLength BYTE UnDefined[0xC] BYTE CipherText[dwLength+1] The related messages as followings, you can find them in the VM Section ".themida" after it got unpacked at the very beginning of the application. 00007FF6448AC79F 01 10 00 00 00 01 00 00 00 80 21 00 40 01 00 00 decrypt algo: ^A0+4F 00007FF6448AC7AF 00 B6 BF 85 B6 83 71 81 B2 84 84 88 80 83 B5 7F "enter password.\n" 00007FF6448AC7BF 1B 00 00007FF64484BC9F 01 0C 00 00 00 72 64 2E 0A 00 00 00 00 00 00 00 decrypt algo: ^08+E4 00007FF64484BCAF 00 8B 75 81 89 86 34 9A 8D 87 8D 83 82 00 "gamer vision" 00007FF644886C7F 01 05 00 00 00 72 20 76 69 73 69 6F 6E 00 00 00 decrypt algo: ^85+10 00007FF644886C8F 00 EC D0 E6 94 7F 00 "yes!\n" 00007FF64489252F 01 04 00 00 00 00 00 00 00 79 65 73 21 0A 00 00 decrypt algo: ^65+C9 00007FF64489253F 00 C0 C3 3D 24 00 "no!\n" 00007FF64484C40F 01 19 00 00 00 0A 00 00 00 6E 6F 21 0A 00 00 00 decrypt algo: ^12+C6 00007FF64484C41F 00 B8 BE 8D BF BF 48 8D BA BC 8D BE 48 BC BB 48 "press enter to continue.\n" 00007FF64484C42F 8F BB BA BC B1 BA BD 8D 7A 56 00
  3. 7 points
    At least they made him look cute!
  4. 6 points
    Hey guys, After a long time I started writing on my blog again. https://mrexodia.github.io/reversing/2019/09/28/Analyzing-keyboard-firmware-part-1 Best regards
  5. 6 points
    For unpacking 1) cawk unpacker 2) dump after decryption 3) fix EP 4) Proxy call fixer by Davicore 5) Strings decryptor by CC 6) Switch killer by CC 7) Dump resources (empty) 😎 Clean cctor and <module>methods (maybe 4, 5 and 6 can be replaced by cawk unpacker again) I will check the key algo tomorrow, don't have time now. a29p-EP-anti2_noproxy_stringdec-cleaned_deobfuscated-res2-cctor-module.exe -------------------------------------------------------- Username = "Usuario" Code = "161308" int length = username.length(); int num2 = length + 2 - 4 + 40 + 10; return Convert.ToString(419 * num2 * length - length); --------------------------------------------------- EDIT2: I have received a few PMs asking how to fix EP, so I will post the videos I used as reference here. Following this 2 videos you should be able to unpack confuserex fully.
  6. 5 points
    AdvancedScript beta version it is beta version it could have bug, so please report and if u like to add more features let me know. version 2.5 beta : 1- Script window is sperate. 2- Create Folder for script,form Load script with category. 3- add more mirror Functions (xorx - pushx ...), and Functions like ( if , goto,writestr ) to shortcut the work. 4- show all variables in a list with it's values. 5- edit script onfly. 6- enable to define array with range like z[n]. 7- writestr Function. 8- run from anyware in the script. 9- rest variables list in case maintenance. 10- insert rows as much as you need. 11- insert from clipboard replace all script. 12- insert from clipboard inside the script. 13- copy separated lines to used in other script. 14- insert description without confusing . 15- add the dll file of c++ runtime for each package. 16- add some scripts samples. 17- as it is beta version so it support one step not auto step , use F12 for step, sorry for that I need to check if it work then I will add auto step :} note : I forget to say use (Scriptw) command to show the Script window , but git has stop working and copy the script sample to ur script folder in x64dbg folder and pls read the help first AdvancedScript_2.5beta.zip
  7. 4 points
    Actually Winrar was a kind of an earl adopter of ECDSA licensing, but they made a mistake in the implementation, much like level 10 armadillo. I still remember when I first came across this release - i thought, man, not another hardcoded-pseude-keygen ... then I saw "SeVeN/FFF". I was like "ahh shit here we go". Problem for Winrar is that their license is tied to archive signatures - if they change it they will break the signature mechanism.
  8. 4 points
    https://github.com/DefCon42/op-mutation decided to release the source because it's a neat example of a practical application of linear algebra yes, i know the code does not look great and there's blatant violations of like every standard ever no, i won't change that :^) note: only works with relatively simple operations. add, sub, not, etc will work but higher order operators like multiplication and exponentiation will not
  9. 4 points
    And here is the fully deobfuscated file with strings decrypted i havent ran through de4dot since this will simplify your button click method to one messagebox.show Unpacked.exe
  10. 4 points
    Hey all! I recently came across this neat paper here: https://tel.archives-ouvertes.fr/tel-01623849/document where they used what they called "Mixed-Boolean Arithmetic" to obfuscate arithmetic expressions, and then showed ways to deobfuscate them. Looking a the deobfuscation methods, they seemed largely either pattern-based or wouldn't work when bigger numbers were involved. So I thought to myself, "How can I mess with this?" Well, first things first, they have no concrete method there for creating these expressions. There are two pages total dedicated to the creation of these expressions, so I had to get creative to make it work. They describe using numpy to solve the matrix equation created and using a hack-y method to circumvent not having a square matrix, but I thought that I could do a bit better... Enter two painstaking days of learning linear algebra and figuring out exactly what I needed to do. They start by computing the truth tables of some expressions, putting them into a matrix as columns, then solving for the vector that, when using the dot product on the vector and the matrix, returned zero. After that, they filtered out various "rewrite rules" from the matrix generated. You can read more about this in the paper, though there's not much to go off of. They use numpy's linalg.solve to do this, but that only works with square matrices and produced results with constants that were a tad small for my taste :^) After a bit of research I found a python module called cvxpy, designed to find values that satisfy an expression under certain constraints. Even cooler was that you could specify matrix equations and integer-only solutions, which is exactly what I needed. After tinkering with it for a bit, I was able to reliably create expressions like these (representing a xor b): -27540 * (~a & b) + 373574 * (~a ^ ~b) + -27541 * (a & ~b) + -27541 * (~a & b) + -11 * (a + b) + -30436 * (~a & ~b) + -30436 * (~a * ~b) + 137712 * (a * ~b) + -27544 * (~a) + 1 * (b) + 3 * (~a + ~b) + -221347 * (~a - ~b) + 13 * (a + b) + -2 * (a) + -30454 * (~a + ~b) + -30454 * (~a + ~b) + -3 * (b) + -30449 * (a | b) + -27546 * (~b) 3672455 * (~a * b) + -362611 * (a ^ b) + 78113 * (a) + -524636 * (~b) + -524636 * (a ^ ~b) + 78113 * (a) + -524636 * (~a | b) + -362611 * (a ^ b) + -959545 * (a | b) + -78113 * (a - b) + -959545 * (~a + ~b) + -524636 * (~a) + 142249 * (a + b) + -959544 * (~a + ~b) + 142249 * (a + b) + -524637 * (a - ~b) + -524637 * (~a) + -524637 * (a & ~b) + 3241246 * (~a ^ ~b) Using truth tables modulo 4 instead of modulo 2 I was also able to compute equivalencies for multiplication, which was pretty neato. However, using the same method of computing the truth table and finding an equivalent expression you can reverse this sort of operation. I'll leave that as an exercise to the reader. EDIT: As a friend of mine pointed out, this will work with any operation that can be reducible to boolean math (i.e. xor, addition, subtraction, multiplication), not just arithmetic operations.
  11. 4 points
    slugsnacks reversing series by c0lo: Link: https://kienmanowar.wordpress.com/slugsnacks-reversing-series-by-c0lo/slugsnacks-reversing-series-5/
  12. 3 points
    Hey there, i've been playing with VirusTotal graph since some weeks. Originally i did a graph just for building a landscape of files for ATM Wall, the graph can be seen here: https://www.virustotal.com/graph/embed/g9521270d163a4778aa5bc376c0d80375b11f2d95beee484498dbdaafc989ee5f I got the idea of doing this after having seen the work of @vanjasvajcer about ATM malware classification. But i started to got vicious with VT graph so here is some interesting graphs i did based with VT and kernelmode.info: Zeus World (v2.1.0.1 and inferior): https://www.virustotal.com/graph/embed/gf17a46025f554bc4a4d0edaff78d4aabee6388c959584ac8981961ae32af6994 Big nebula of zeus builders since code leak of v2.0.8.9, contain also few very old builders and some have funny messages inside destined to AV vendors. IceIX World (v1.2.5 and v1.2.6): https://www.virustotal.com/graph/embed/g3e3dfb66d191404593284509fbf9028c5253ee1651ee4da9b24225bf262634bf Citadel World (v1.3.4.5 and v1.3.5.1): https://www.virustotal.com/graph/embed/g1d0637aa096e45b2b1336844fe81e1e286a588fa049a4d529357c0a1d2f1646d Atmos World (v1.01): https://www.virustotal.com/graph/embed/ga7f70bed1f6f4394b4b503b5dcee997c66251a48418b4b3fba03119d3196389e Builders, releases, fews files. SpyEye World: https://www.virustotal.com/graph/embed/g98d5440408854a90b8e5fce2bd4003b40a7295519d5c4e0abe39a470a9fcadb5 Research about plugins are based on the spyeye thread on kernelmode.info, contain a nice timeline of the versioning and most of interesting files i guess. Carberp 'krabs.7z': https://www.virustotal.com/graph/embed/gd6210da59ece445f8e0469a7408a4905126fa5722cdb4b759330e073a29e7429 Files annotation based on kernelmode.info thread again (https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2793), chaos mosaic at the image of the archive. BestAV affiliate: https://www.virustotal.com/graph/embed/g0741bdd40e4b4bc7a4c77e8240de0667f2ea89df4124484b87717ad081f741aa Lot of FakeAV files found with communicating IPs, graph based also on fews posts on kernelmode and also from my personal archive about thoses guys And not related to malware but you can do also funny things: Looking for an ollydbg modification ? https://www.virustotal.com/graph/embed/gd11e600f461c476082159553dadde7ac102288cd74df42d38f84291e97f2263a You have lost your SoftIce CD ? https://www.virustotal.com/graph/embed/g7534bcb28a2a439a8d466f69542374127b54265b605c4589adbf97191a1b0467 a small landscape about dongle piracy https://www.virustotal.com/graph/embed/g035609ac24c94751ae94aef309b6599010d8ccd1549f49f3b8ef7e20febd3f9f
  13. 3 points
    Console example x64plgmnrc.exe -G "C:\x64dbg_root" // Set root path for x64dbg x64plgmnrc.exe -U // Update list from server x64plgmnrc.exe -S // Show list of plugins x64plgmnrc.exe -i x64core // Install last version of x64dbg x64plgmnrc.exe -i AdvancedScript // install AdvancedScript https://github.com/horsicq/x64dbg-Plugin-Manager
  14. 3 points
    https://invidio.us/ src - https://github.com/omarroth/invidious
  15. 3 points
    Hi New Update with more features : https://github.com/Ahmadmansoor/AdvancedScript AdvancedScript version 4.3 https://github.com/Ahmadmansoor/AdvancedScript/releases * Add new commands and fix some bugs * fix error load of the Auto Commands when there is no ; * Fix AutoRun and stepson ( wait command to finish). * Fix color variable name. * Add ReadFile , Write2Mem , ReadMem * Add GoToByBase Form ( https://www.youtube.com/watch?v=gQxlbC8RnRg ) * Assigne variable directly no need to Setx Command. Sample : Varx str,memory // var will hold the hex value Varx int,rax_,0 // read rax value +1 Varx str,ourStr // read test string ReadMem $memory,{rax},5 $rax_={rax} +1 $rax_=ads.exebase ReadStr $ourStr,{rdx}
  16. 3 points
    That is most likely not your crackme. But what the hell.. Load it in IDA, decompile serial check and it will look like this: if ( ++idx >= 29 ) { if ( count_of_sevens == 1 && String[6] == '7' ) { v5 = (unsigned __int8)entered_key[0]; if ( entered_key[0] ) { LOBYTE(v5) = entered_key[4]; if ( v5 ) { LOBYTE(v5) = entered_key[8]; if ( v5 ) { LOBYTE(v5) = entered_key[12]; if ( v5 ) { LOBYTE(v5) = entered_key[16]; if ( v5 ) { LOBYTE(v5) = entered_key[21]; if ( v5 ) { part1 = getintfromkey(0, 4, 0); part2 = getintfromkey(0, 4, v6); part3 = getintfromkey(0, 4, v7); part4 = getintfromkey(0, 4, v8); part5 = getintfromkey(0, 5, v9); part6 = getintfromkey(0, 8, v10); v11 = part1 * (unsigned __int8)entered_key[7]; v12 = part1 * (unsigned __int8)entered_key[6]; v13 = part1 * (unsigned __int8)entered_key[4]; if ( v11 == part5 && v12 == part3 && !(part1 * (unsigned __int8)entered_key[5]) && v13 == part4 && 1000 * v13 + 10 * v12 + v11 == part6 ) { ...show good boy message... There are some checks for specific character values: * char 6 must be "7", there may not be any other "7" in the key; * char 5 must be "0"; * chars 4,8,12,16,21 may not be "0"; Key is split into in several parts: part1 = first 4 chars part3 = chars 8..11 part4 = chars12..15 part5 = chars16..20 part6 = chars21..28 Then it does some simple multiplication and checks the result. At this point you have 2 options: - make a tool that will randomly choose part1 and chars 4 and 7, do the multiplication to calculate parts 3, 4, 5, 6 and see if it passes all checks. - remember math lessons from school and figure out the only possible combination that will pass all checks. First one is much faster, second one will be .. challenging. Either way, you should arrive at the only possible solution: Well, in fact, there is infinite number of valid keys. You can append random characters to the key above, they are not checked..
  17. 3 points
    Download: https://github.com/horsicq/nfdx64dbg/releases Sources: https://github.com/horsicq/nfdx64dbg More Info: https://n10info.blogspot.com/2017/05/nfd-plugin-for-x64dbg.html
  18. 3 points
    I really, really disagree. Not all websites are valuable. And not all passwords should chosen to be secure. In fact, this was something I wanted to write about for a long time already, so here it goes: https://lifeinhex.com/my-password-is-password/ (shameless self-promo, I know! )
  19. 3 points
    https://github.com/LisaDziuba/Awesome-Design-Tools#no-code-tools bonus (free -> add to cart -> mailinator -> 498mb) - hxxps://fusionretrobooks.com/collections/pdf/products/the-story-of-the-commodore-amiga-in-pixels_pdf
  20. 3 points
    Used protector (I've forget to specify): https://www.52pojie.cn/thread-652274-1-1.html http://distro.crack.vc/index.php?dir=RceTools/Packers/ Finally made scripts and a tutorial on how to restore stolen bytes: https://forum.tuts4you.com/topic/41211-obsidium-olly-scripts/ BR.
  21. 2 points
    I am glad you have a workaround for this in the end. You may find suspending operation for around ~10 milliseconds after setting the cursor position and before simulating the mouse down input, using the Sleep function, adds a little bit more reliability and may not require you to add a second call to SetWindowPos. If you are concerned about accidentally activating a menu when simulating the mouse down you can calculate the centre of the windows titlebar or populate NONCLIENTMETRICS structure. Just be mindful there may be occasions where this may still occur particularly with owner drawn windows and Windows 10 apps. I still recommend the timer option... 😎 Ted.
  22. 2 points
    @Washi has finally made his writeups public: https://github.com/Washi1337/ctf-writeups/tree/master/FlareOn/2019/ Some of his solutions make me green with envy. Great job!
  23. 2 points
    I created this experimental project. I hope someone can be useful. any collaboration and improvement is welcome thank you https://github.com/Pigrecos/Triton4Delphi
  24. 2 points
    Hi, hmmm,long time ago already.Dont remember anymore about that.I just checked my codes and seen that I was using the PEB reading method like this... local STARTUP:STARTUPINFO local PI:PROCESS_INFORMATION local PIS:PROCESS_BASIC_INFORMATION local BASEADDRESS:DWORD invoke RtlZeroMemory,addr STARTUP,sizeof STARTUP invoke RtlZeroMemory,addr PI,sizeof PI invoke RtlZeroMemory,addr PIS,sizeof PIS mov STARTUP.STARTUPINFO.cb ,sizeof STARTUPINFO invoke CreateProcess,addr TARGETNAMEPATHBUF,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,addr STARTUP,addr PI .if eax == 0h ; fails ret .endif invoke NtQueryInformationProcess,PI.PROCESS_INFORMATION.hProcess,ProcessBasicInformation,addr PIS,sizeof PIS,NULL .if eax != 0h ; fails @@: invoke TerminateProcess,PI.PROCESS_INFORMATION.hProcess,0 .if eax != 1 ; fails .endif mov eax, 0h ret .endif mov esi,PIS.PROCESS_BASIC_INFORMATION.PebBaseAddress add esi,8 invoke ReadProcessMemory,PI.PROCESS_INFORMATION.hProcess,esi,addr BASEADDRESS,sizeof BASEADDRESS,NULL .if eax != 1 ; fails jmp @B .endif mov esi, BASEADDRESS greetz
  25. 2 points
    For Harmony You need to load Target executable to the current domain in other words you need to create application loader. The Step: 1. Create new WinForms (loader) - Add reference to 0Harmony.dll and Target.exe - Add button, name it btnOpenApp with click handler private void btnOpenApp_Click(object sender, EventArgs e) { AssemblyName assemblyName = AssemblyName.GetAssemblyName(@"c:\path\to\Target.exe"); var assembly = Assembly.Load(assemblyName); var methodBase = assembly.ManifestModule.ResolveMethod(assembly.EntryPoint.MetadataToken); // do the patch Harmony.Patch(); // Open the Target new Thread(() => { // assume method entry point is static and doesn't have parameter methodBase.Invoke(null, null); }).Start(); } 2. Create class Harmony.cs using Harmony; using System; using System.Reflection; using System.Windows.Forms; namespace YourWinformsNameSpace { internal static class Harmony { public static void Patch() { HarmonyInstance h = HarmonyInstance.Create("test.patch.by.ewwink"); h.PatchAll(Assembly.GetExecutingAssembly()); } [HarmonyPatch(typeof(Target.FormClass), "calculate")] [HarmonyPatch(new Type[] { typeof(int), typeof(int) })] public class Patchcalculate { static void Prefix(int num1, ref int num2) { MessageBox.Show(string.Format("Second param {0} will be patched to 7", num2)); num2 = 7; } } } } The above will patch second parameter for calculate method to 7. make sure target Framework and CPU is match.
  26. 2 points
    or simply use tools like RunAsDate
  27. 2 points
    Read about LR_LOADTRANSPARENT flag for LoadImage. That's how it was done in the old days before alpha blending..
  28. 2 points
    Load icon Create a compatible bitmap same size as icon Use DrawIcon / DrawIconEx to draw the icon into the hdc's bitmap return the hBitmap and free any resources not required - dc's, icon (if not needed anymore) Use the SetMenuItemBitmaps Might need to include a few other steps but the basics outlined should convert the icon to a bitmap.
  29. 2 points
    login pass: steps to unpack: 1. removed anti tamper and some junk calls 2. cleaned cflow (Thanks to Tesla for cflow cleaning) 2. removed proxy calls 3. removed proxy calls again 4. converted x86 methods to IL 5. decrypted all constants 6. cleaned cflow again (Thanks to Tesla for cflow cleaning) 7. cleaned some small stuff with de4dot. UnpackMe3-cleaned_noProxy_noProxy-NoX862-StringDec_cleaned-cleaned.exe
  30. 2 points
    Best days of programming before all this Java and Android chaos
  31. 2 points
    Here is the hotfix for anyone who wants to install without turning on Data Collection and Use... hotfix-update-xpi-intermediate@mozilla.com-1.0.2-signed.xpi
  32. 2 points
    I knocked up a quick example, you could do something similar to this... Declare.i WinProc(hWnd, Msg, wParam, lParam) Declare.i SetMenuItemBold(MenuNum) Global hMenu If OpenWindow(0, 0, 0, 250, 100,"Right click in the window...", #PB_Window_SystemMenu | #PB_Window_ScreenCentered) If SetWindowCallback(@WinProc()) hMenu = CreatePopupMenu(0) If hMenu ; Create a text array for the menu item text. Global Dim menutext.s(4) menutext(0) = " MenuItem 0" menutext(1) = " MenuItem 1" menutext(2) = " MenuItem 2" menutext(3) = " End" ; Create the menu items and point to the array containing the text. MenuItem(0, menutext(0)) MenuItem(1, menutext(1)) MenuItem(2, menutext(2)) MenuItem(3, menutext(3)) ; Set menu items to #MFT_OWNERDRAW For a = 0 To 3 With tag.MENUITEMINFO \cbSize = SizeOf(MENUITEMINFO) \fMask = #MIIM_TYPE \fType = #MFT_OWNERDRAW \dwTypeData = @menutext(a) SetMenuItemInfo_(hMenu, a, #True, @tag) EndWith Next EndIf ; PureBasic window event loop. Repeat Event = WaitWindowEvent() Select Event Case #PB_Event_RightClick DisplayPopupMenu(0, WindowID(0)) ; When a menu item is clicked on set it to bold. Case #PB_Event_Menu Select EventMenu() Case 0 : SetMenuItemBold(EventMenu()) Case 1 : SetMenuItemBold(EventMenu()) Case 2 : SetMenuItemBold(EventMenu()) Case 3 : End EndSelect EndSelect Until Event = #PB_Event_CloseWindow EndIf EndIf Procedure.i WinProc(hWnd, Msg, wParam, lParam) Static hbrush Select Msg Case #WM_DESTROY ; Delete created objects once the window is destroyed. DeleteObject_(hbrush) Case #WM_MEASUREITEM ; lParam - Pointer to a MEASUREITEMSTRUCT structure that contains the dimensions of the owner-drawn control or menu item. *lpm.MEASUREITEMSTRUCT = lParam ; Define the width and height for the menu item to be created. *lpm\itemWidth = 200 *lpm\itemHeight = 30 Case #WM_DRAWITEM: ; lParam - Pointer to a DRAWITEMSTRUCT structure containing information about the item to be drawn and the type of drawing required. *lpd.DRAWITEMSTRUCT = lParam ; If a menu item is selected, use #COLOR_MENUHILIGHT. If *lpd\itemState & #ODS_SELECTED hbrush = CreateSolidBrush_(GetSysColor_(#COLOR_MENUHILIGHT)) SelectObject_(*lpd\hDC, hbrush) EndIf ; Set the background mix mode of the specified device context to #TRANSPARENT. ; This sets the text background to #TRANSPARENT (otherwise its background will be filled a different colour from that of the menu). SetBkMode_(*lpd\hDC, #TRANSPARENT) ; Set the device context boundary pen colour, the null pen draws nothing. SelectObject_(*lpd\hDC, GetStockObject_(#NULL_PEN)) ; A rectangle that defines the boundaries of the control to be drawn. ; When drawing menu items, the owner window must not draw outside the boundaries of the rectangle defined by the rcItem member. Rectangle_(*lpd\hDC, *lpd\rcItem\left, *lpd\rcItem\top, *lpd\rcItem\right, *lpd\rcItem\bottom) If menutext(*lpd\itemID) = menutext(1) SetTextColor_(*lpd\hDC, #Green) DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #Null) ElseIf menutext(*lpd\itemID) = menutext(2) ; Calculate the length of the menu item text. DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #DT_CALCRECT) ; Set the menu item text colour and then draw it. SetTextColor_(*lpd\hDC, #Blue) DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #Null) ; Save the old right co-ordinate so we can offset the additional menu item text. oldRight = *lpd\rcItem\right ; Calculate the length of the additional menu item text. DrawText_(*lpd\hDC, " Tuts4You", -1, @*lpd\rcItem, #DT_CALCRECT) ; Calculate the offset to add the new text in the menu. *lpd\rcItem\left = oldRight *lpd\rcItem\right + oldRight ; Set the menu item text colour and then draw it. SetTextColor_(*lpd\hDC, #Red) DrawText_(*lpd\hDC, " Tuts4You", -1, @*lpd\rcItem, #Null) Else DrawText_(*lpd\hDC, menutext(*lpd\itemID), -1, @*lpd\rcItem, #Null) EndIf EndSelect ProcedureReturn #PB_ProcessPureBasicEvents EndProcedure Procedure SetMenuItemBold(hMenuNumSel) bold.MENUITEMINFO bold\cbSize = SizeOf(bold) bold\fMask = #MIIM_STATE bold\fState = #MFS_DEFAULT SetMenuItemInfo_(hMenu, hMenuNumSel, #True, bold) EndProcedure Ted. Coloured Menu Item.exe
  33. 2 points
    Check Ted's answer again: So if you want colors (any at all) or mix normal/bold then you will need to draw the items yourself using the GDI api SetTextColor and TextOut and those functions after responding to the draw item event by setting the owner draw flag.
  34. 2 points
    I use something like this if I want to make a menu item bold... bold.MENUITEMINFO bold\cbSize = SizeOf(bold) bold\fMask = #MIIM_STATE bold\fState = #MFS_DEFAULT SetMenuItemInfo_(MenuID(0), 2, #True, bold) ;"2" is the MenuItem to be made bold https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-setmenuiteminfow https://docs.microsoft.com/en-au/windows/desktop/api/winuser/ns-winuser-tagmenuiteminfoa Ted.
  35. 2 points
    https://youtu.be/Sv8yu12y5zM bonus - VSCodium - Binary releases of VS Code without MS branding/telemetry/licensing - hxxps://github.com/VSCodium/vscodium
  36. 2 points
    9.0.2 released with the source which notes can be found on their site: https://ghidra-sre.org/releaseNotes.html With the source, they did include the decompiler's source code which some were concerned with being released. It's there and is coded in C/C++ so there is potential for things to get better as time goes on with community help/support. Would love to see it become on par with IDA's and better in the long run. Given how Ghidra is setup too, if it does start to become on par/better of a decompiler someone could essentially turn it into an IDA plugin if they wanted.
  37. 2 points
    C generate all possible combination of strings - for brute force: char* ValidChars = "0123456789ABCDEF"; int MinimLen = 1; int MaximLen = 2; char SpecialChars[255] = {0}; char GeneratedString[50] = {0}; int Valid_Chars_len = strlen(ValidChars); SpecialChars[0] = ValidChars[0]; // the first char will be first allowed char // SpecialChars[i] will point to next char like this: // SpecialChars['a'] = 'b'; // SpecialChars['b'] = 'c'; // SpecialChars['c'] = 00; // the end of a loop for (int i=0;i<Valid_Chars_len-1;i++) SpecialChars[ValidChars[i]] = ValidChars[i+1]; memset(GeneratedString, ValidChars[0], MinimLen); // we start with 'aaa' string char NextChar; int Pos = 0; while (1) { Pos = 0; printf("gen = %s\r\n", GeneratedString); LoopStart: NextChar = SpecialChars[GeneratedString[Pos]]; if (NextChar!=0) { GeneratedString[Pos] = NextChar; } else { GeneratedString[Pos] = SpecialChars[0]; // we start again Pos++; if (Pos>=MaximLen) break; goto LoopStart; } } The code works 100% ok but it is a bit ugly especially the "goto LoopStart;" Any other optimizations I could make to the above code or other generation of all combinations possibility? Obviously should be optimized to the maximum!
  38. 2 points
    Find it funny how the agitator creates the topic to try and bring attention to what he had to post later on Puny schemes. People just have lives; RE isn't going anywhere. Same as there's been one generation of smart, skilled and enthused people, others will follow. Circle of life. What I do find funny is how this "high-level programming" works even with big companies, such as Denuvo. I put quotes because same as Java relies on a ton of shit OTHER people wrote across time, which they now just import, similarly Denuvo relies on VMProtect to shield whatever crap they've got going on. Were it not for it, we'd have gotten ourselves the ol' time SecuROM/SafeDisc fiascos. I digress.. Congrats, ExoD And keep it up, love your work.
  39. 2 points
    Tools: dnSpy, ConfuserEx Tools, de4dot ConsoleApplication3_unpacked.exe
  40. 1 point
    Rufus states... else you could try an old version http://olddownload.com/rufus-usb/?windows=XP
  41. 1 point
    Hi all: Recently I've analyzed a VB malware sample. This VB injector runs on physical analyzer machine (Win7 x86) and virtual machines (Win7 x64 and Win XP) without injection behavior. But when I upload the sample to the online sandbox, it appears to inject iexplorer.exe and sends DNS request to C&C server. By the way, the VC runtime library and .NET framework 2&4 are already installed on the virtual machine. I have not found any way to make the sample appear any injection behavior by checking Process Monitor yet. Can anyone figure out the reason, it's welcome to communicate, or is there anyone who can dump out its Trojan body, please let me know, thks a lot... The password of the sample zip package is "infected". Do not run or debug on the real machine! ANY.RUN report (PC-side access): https://app.any.run/tasks/2be96389-5c11-4541-b3b2-bb027f445add/ Hybrid Analysis report: https://www.hybrid-analysis.com/sample/0e0a3f5fa2d7e092dbb9e31b55e8f1dc6879673d9af92735577522dc504e7af9?environmentId=120 VB_Injector_password_infected.zip
  42. 1 point
    As @atom0s already mentioned SetFocus is what you are after if you want keyboard events in your window... Ted.
  43. 1 point
    Check this by Mr. Kurapica: https://forum.tuts4you.com/topic/38536-x64dbg-conditional-branches-logger-plugin
  44. 1 point
    Hi Progman, so it would be nice to have / find some kind of complete Ownerdraw example template code but didnt found anything like that.Ony short codes to handle this or that you know.Also for a menu OD I didnt found any full code example / template to handle all situations for menus etc. No I didnt checked the Win 2000 source.Maybe I wouldnt also find where this OD code is stored into (file xy). greetz
  45. 1 point
    Source Code of Ghidra Released:
  46. 1 point
    You have to reverse engineer how and from what the file checksum is calculated, and then fix the checksum in your exploit-file, yes. If you are lucky and need just the one checksum, you can try to find where it compares the invalid checksum with the one it expects, and just replace the checksum in your file with that.
  47. 1 point
    https://github.com/Pigrecos/Z34Delphi My new repository for using Z3 in delphi(porting z3 c api to delphi). I tried and there were no tools for symbolic execution in delphi
  48. 1 point
    Last night I dreamt my football team would win 0-1. The next morning I heard the score over the radio that they had won the game 0-1. A betting man would want to have these dreams the night before... Ted.
  49. 1 point
    As mentioned in a prior thread, Kernighan and Ritchie is the de-facto standard in this case. You can get it for free here: http://www.dipmat.univpm.it/~demeio/public/the_c_programming_language_2.pdf
  50. 1 point
    Well, there are few dedicated persons in the world who can do that. Noobs can't. And there are no up-to-date public tools (Deathway's tools are not working for most VMs already). So, after doing simple cost-benefit analysis, Themida guys will sleep really well.
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...